Australia’s controversial anti-encryption laws came under independent scrutiny this week as tech leaders, including Microsoft’s Brad Smith, continued to criticize the legislation.
The country’s Parliamentary Joint Committee on Intelligence and Security (PJCIS) has referred the Telecommunication & Other Legislation Amendment (Assistance & Access) Act of 2018 (TOLA) to the Independent National Security Legislation Monitor (INSLM).
The legislation, passed by a parliamentary vote in December, enables the government to coerce technology companies into decrypting user communications. It would allow the government to gain access to encrypted communications sent via messaging apps, for example.
Under the legislation, the government can first ask the technology companies for help. If they don’t want to help, it can force them to. If they are unable to help, then the government can force them to change their systems, making it possible for them to provide the necessary support.
INSLM is an independent position established by legislation. It has access to all relevant material, regardless of national security classification, can force anyone to answer its questions, and holds both public and private hearings.
The current INSLM, Dr. James Renwick, will review whether the legislation properly safeguards individual rights and whether it remains proportional to the threat to national security, said a statement from the PJCIS. Committee chair Andrew Hastie MP and deputy chair Anthony Byrne MP added:
In our view, the INSLM provides a valuable, independent perspective on the balance between necessary security measures and the protection of civil liberties. As such, the INSLM is an important and valued component of Australia’s national security architecture.
Companies will go elsewhere, warns Microsoft
The move follows strong complaints from the technology sector about its scope and perceived lack of clarity.
In February, the Mozilla Corporation and FastMail both wrote to the PJCIS, complaining that the wording of the legislation was too vague, and could be used to directly force individual employees to tinker with technology systems without telling anyone. Mozilla argued that it effectively forced it to treat Australian employees as insider threats.
The latest technology luminary to speak out against the laws was Microsoft president and chief legal officer Brad Smith. Speaking in Canberra, he warned that given the vagueness of the legislation, people’s privacy was at risk:
… I think people will worry and we will be among those who will worry because we do feel it is vitally important we protect our customer’s privacy.
He warned that the legislation could turn companies away from storing their data in Australia. Companies in other countries were already asking it to build more data centers outside Australia, he said, adding:
If I were an Australian who wanted to advance the Australian technology economy, I would want to address that and put the minds of other like-minded governments at ease.
Scott Farquhar, co-founder and co-chief executive of collaboration and security software company Atlassian, criticised the legislation for putting Australian jobs at risk.
Speaking at the Safe Encryption Australian forum this week, he warned that the Act created uncertainty for the company’s staff and customers.
Dr Renwick must submit his report to the PJCIS by 1 March 2020, which will factor the findings into its own review of the legislation, due later that year.
Bryan
I’m interested to see how this plays out–hopefully it’ll end better than the U.S. net neutrality skirmish.
And ouch:
When Microsoft is the one saying your idea is bad…
Mike Schwab (@maschwab63)
Effectively, people in Australia won’t be able to use applications requiring a sign-on. Like email, facebook, online banking and credit card purchases.
anonymous coward
Australia is already a terrible place for data storage, so most world data isn’t stored there. Half of the continent is prone to significant earthquakes, another half flooding. It’s half moderate temperatures, half seasonal extremes. The workforce is moderately paid outside the major urban centers, but electricity prices are high. Australia’s got a gun ban, limiting data center security options. Their crimes rates are unappealing to the tech wizards who would rather take jobs in other countries to run data centers. And it’s an island that moves 7 centimeters every year, making undersea data cables cost more to maintain there. Altogether, a terrible place to store international data.
Mitica
Just wait until a high positioned politician gets his private data in the hands of Government…
It’s just a matter of time until they’ll realise that it’s not just stupid, but against human and consumer’s rights.
Mike
Actually, the legislation (which I have read) specifically prohibits the government from “requiring any service provider to build a back door” – but if you *do* have one, you are required to provide access to it if served a warrant. This is backed up by pretty severe penalties.
Simple solution: don’t put back doors in your stuff (especially if you’re a teleco).
It’s primarily aimed at companies that might aid foreign governments, not at individual privacy. If offshore companies start choosing to host their data offshore, the Australian government would no doubt consider it a completely reasonable and welcome outcome. If providers choose not to implement means to intercept and decrypt their customers’ data, that’d also be reasonable and welcome.
Danny Bradbury
The law does not require companies to add back doors to their products and services, and I never said it did.
The law does require companies to help the government get at peoples’ data in several different and far-reaching ways, though, as its own briefing documents and section 317E of the legislation make clear.